Cloudmark Security Blog

A Proportional Response to Email Hacking

One of the significant issues in the current US Presidential election campaign has been the use and abuse of email. Both Hillary Clinton’s use of a private email server for government business while she was Secretary of State, and the allegation that the Russian government has been hacking Democratic National Committee and Clinton campaign emails have both received a lot of attention. Recently the New York Times reported that the Obama administration is considering a ‘Proportionate’ response to the Russian hacking. I would like to suggest that the appropriate response would not be a counter attack, but a strengthening of defenses. Making email harder to hack would be far more effective in the long term than escalating cyber warfare.

First of all, email is not currently a secure medium. Even if messages are encrypted when they are transmitted over the Internet, they are available to anyone who can hack into either the sender or the receiver’s email server or client machines. There are at least four possible machines that can be compromised, either with zero day vulnerabilities or phishing attacks. A handful of emails containing classified information were transmitted through Clinton’s private email server, but that did not necessarily make them any less secure than if they had gone through a government server. As the Office of Personnel Management compromise showed, government servers are vulnerable to hacking as well. Unless messages are end to end encrypted from one secure client to another, they should not contain classified information.

Secondly, attribution of cyber attacks is difficult. Vladimir Putin has denied responsibility for the attacks on the Clinton campaign. Though the evidence linking the attacks to a known Russian advanced persistent threat is quite strong, I can think of at least two other nation state actors who may have the sophistication to reverse engineer the tools used by Russian intelligence and launch a false flag attack. Also it’s worth remembering that hackers working for the Russian government may have started out as cybercriminals, and may still be operating as independent contractors. It’s possible that business interests in Russia have access to the same hackers as the Russian government, and that attacks on the DNC and Clinton came from Russian oligarchs who believe that they would be better off if Clinton did not win the election. Then again, there is always the possibility that the US intelligence services are deliberately providing misinformation for political or strategic reasons.

Under the circumstances, I would not be in favor of a counterattack that involved, say, a DDoS attack on the Kremlin or publishing Putin’s private emails. Doing so would simply legitimize cyber attacks as a tool of diplomacy. In my view cyber attacks should be used only for military purposes within the limits of the Geneva Convention. It would be far better to devote our efforts to making email secure against hacking, at the government, business, and personal levels.

There is a significant conflict of interest within the US security services, which are tasked with both cyber intelligence operations and the protection of US interests against cyber attacks. For the first goal they need cyber security to be weak, and for the second goal they need to strengthen it. When a new zero-day vulnerability is discovered by the NSA, do they hoard it for future use against enemies or make sure it is patched so it cannot be used against the US? Currently the attackers seem to be winning the internal debate against the defenders, as is indicated by the long-term failure of the NSA to disclose a significant vulnerability in Cisco firewalls.

The functions of attack and defense need to be separated with the US security services. There should be dedicated Department of Cyber Security. This could set standards for end to end encryption of messaging (without backdoors, please), securing Internet of Things devices so that they cannot be used in DDoS attacks, responsible disclosure of vulnerabilities and so on. This would be a far more effective response to Russian (or other) hacking of US citizens than any cyber counterattack would be.

While we are seeing Google starting to be proactive about issuing warning when they see advanced persistent threats targeting accounts, email remains an antiquated and insecure form of communications by default. Anyone who has a need for secure communications (which includes government departments, businesses, political campaigns, journalists, and people wishing to share intimate photographs) should not trust their secrets to plaintext email. Here are some suggestions for improvements to the security of your messaging in various formats:

End-to-end encryption prevents a would-be snoop from eavesdropping on your email and similar communication. For email, simple-to-use plugins for PGP encryption can accomplish this.

Within the enterprise, a full messaging system that is end to end encrypted and does not leave copies of messages on a server such as those provided by Silent Circle.

For more suggestions the EFF provides a robust set of tutorials for secure messaging. Also, the EFF provides comparisons of various secure messaging solutions (though now out of date but still useful) with their Secure Messaging Scorecard.

Note that the best encryption in the world will not save you if your device is compromised by a phishing attack, so organizations and individuals also need to take precautions against this.